Is it OK to use an email address as the CN attribute in ADAM (I don't mean the email/mail attribute)? I have a requirement that calls for ADAM for authentication and the user's email address as the CN (e.g. CN=jsmith@yahoo.com and CN=mary@gmail.com). It seems odd to have an "@" character in the CN property but I tested it and authentication works fine. I can't find anything online to suggest an email address should not be used as the CN except that and ADAM CN cannot have more than 64 characters which could potentially be an issue in rare cases. Also, Softerra LDAP browser won't allow me to add a UPN with multiple "@" characters although this project doesn't include UPN in the scope. Sanity check before we pull the trigger. Thanks, Jim

  • 216
  • 2
  • 5

1 Answers1


I would advise against that. The attribute used to bind is the RDN. If you lookup your object class in the LDS schema, you will find that cn is the RDN (the display name of the attribute is rDNAttID).

IIRC the only way to change the RDN is to have it set to what you want when the schema is imported.

That leaves you two choices :

  1. Create a new objectClass that has mail as the RDN, and add that objectClass to your users
  2. Do a search-and-bind

I really have no idea if option #1 will work.

Option #2 is how I always do it. Your application will :

  1. Search for a user based on an attribute (make sure it is indexed)
  2. If there is more than one match, deny authentication.
  3. If there is only one match, use the distinguishedName of the object you found and the supplied password to bind.

+The limits imposed by Softerra are not in AD-LDS. You can create a user named @@@@@@@@@ easily with LDP (pardon my French) :

Adding user @@@@@@@@@ with LDP

Gives the following result :

***Calling Add...
ldap_add_s(ld, "cn=@@@@@@@@@,OU=stuff,DC=example,DC=com", [2] attrs)
Added {cn=@@@@@@@@@,OU=stuff,DC=example,DC=com }.
  • 928
  • 2
  • 7
  • 25